SALLIE MAE Student Finance Expert Controls Compliance with RSA Archer GRC Suite

SALLIE MAE
Student Finance Expert Controls
Compliance with RSA Archer® GRC Suite
AT-A-GLANCE
Key Requirements
–– Introduce automated workflows to
facilitate testing
–– Demonstrate full compliance with
industry regulations and improved
coverage over new mandates
–– Enhance visibility of compliance
stature through simplified,
reportable data
“It was clear to us that the RSA Archer GRC Suite was the most
flexible, trustworthy and easy-to-manage compliance solution.
We liked the fact that it offered full traceability from authoritative
sources to control level, as this was a real benefit for us.”
KAREN DELOZIER, VICE PRESIDENT, IT RISK AND COMPLIANCE, SALLIE MAE
Sallie Mae is the United States’ leading financial-services company
specializing in education. Serving 25 million customers, it offers
innovative savings tools, tuition payment plans, and education loans
that promote responsible financial habits and reward success. The
company manages or services $238 billion in education loans and
administers $37 billion in 529 college savings plans.
Solution
KEY REQUIREMENTS
–– RSA Archer GRC Suite provides a
single enterprise platform for
compliance, issue resolution, and
vendor management
The IT compliance team at Sallie Mae has its work cut out for it. As a financial institution,
it must demonstrate its ability to meet a raft of stringent regulations and requirements
set by industry bodies, government departments, and other financial organizations with
which it collaborates. As well as ensuring it stays up-to-date with changing demands and
business processes, it must ensure that full audit trails for all its compliance efforts are
kept on record for at least seven years.
–– Eliminates redundant testing
–– Flexible dashboards and reports
create real-time view of compliance
Results
–– 50,000 paper documents saved
over two years
–– On-demand inquiry and reporting
for impact analysis, management
reporting, and audit requests
With regulations including PCI-DSS and Sarbanes-Oxley to contend with, Sallie Mae
already had around 1,100 individual requirements to meet, which it accomplished by
building a specialized “control,” or process, for each requirement. When it made the
decision to take on more federal contract work, this created a need for closer compliance
with the Federal Information Security Management Act (FISMA) as well. The organization
needed to demonstrate full compliance with all of these regulations and show its
readiness to respond to any other new mandates that may emerge in the future.
With an already-busy compliance-management team, Sallie Mae wanted to minimize the
burden of responding to these new requirements by automating its workflows to facilitate
compliance testing as much as possible. It also needed to ensure the overall visibility of
its compliance stature at any time was clear. This meant that all relevant parties across
the organization had to have easy access to simplified, reportable data.
CUSTOMER
PROFILE
SOLUTION
Eager to enhance visibility of and control over its compliance posture while reducing the
manual time and cost involved in maintaining it, Sallie Mae worked with Deloitte Consulting
to evaluate the best solution to meet its needs. Karen Delozier, Vice President, IT Risk and
Compliance, Sallie Mae, recalls making the final choice: “It was clear to us that the RSA
Archer GRC Suite was the most flexible, trustworthy, and easy-to-manage compliance
solution. We liked the fact that it offered full traceability from authoritative sources to
control level, as this was a real benefit for us.”
“The efficiency and
standardization that we’ve
realized since deploying
RSA Archer aren’t the only
benefits. Collaboration with
other RSA Archer users at
the RSA Archer Summit
and roadshows is another
significant perk. We’ve been
able to get some great
insights into best practices
as other users have been
more than willing to share
knowledge and experiences.”
KAREN DELOZIER, VICE PRESIDENT,
IT RISK AND COMPLIANCE, SALLIE MAE
Sallie Mae implemented two modules of the RSA Archer GRC Suite to create a single
enterprise platform for compliance, issue resolution and vendor management. The Risk
Management module automates the management and testing of more than 2,500 controls
across the organization. Delozier and her team worked with Deloitte to identify areas of
overlap between controls for different regulations, and to create Integrated Control Plans
(ICPs) to cover all regulations without duplication. Each documented control now covers
multiple mandates, creating a “test once, comply many” model, which eliminates risk
while optimizing control-management efficiency.
“We now have harmonized, integrated requirements, which have done away with the
duplication of effort and redundant testing we faced before,” says Delozier. “We have created
tailored dashboards for different user groups – such as executives and testing teams – so
individuals can quickly and easily access the latest information about the controls relevant to
their role. Control owners have also started using the platform as a document repository so
we can more efficiently share control details across the organization from this central point.”
The team has also implemented the Vendor Management module of the RSA Archer GRC Suite
to handle its compliance responsibilities around its interaction with vendors. Populated with
all contact and security information about each vendor, the tool is used to automatically create
a risk profile. Should the profile indicate the need for a more detailed security assessment of a
particular vendor, the process is automatically started. As a next step, vendors will be given
online access to the platform in order to input their own information, creating an even more
efficient alternative to the manual checks that Sallie Mae had to perform previously.
RESULTS
CONTACT US
To learn more about how RSA
products, services, and solutions help
solve your business and IT challenges
contact your local representative or
authorized reseller – or visit us at
www.emc.com/rsa.
Sallie Mae now benefits from on-demand inquiry and reporting for impact analysis,
management reporting and audit requests, standing it in good stead to demonstrate its
reliability to its new federal customers.
In addition to this full traceability and visibility of current and past compliance efforts, Sallie
Mae finds itself a much greener company than it was before, in addition to the hard savings
it has realized, thanks to the shift towards automation. Print-outs and binders full of control
details are a thing of the past, saving around 50,000 pages of paper over a two-year period.
Additional savings are realized through the elimination of off-site storage costs.
“The efficiency and standardization that we’ve realized since deploying RSA Archer aren’t
the only benefits. Collaboration with other RSA Archer users at the RSA Archer Summit
and roadshows is another significant perk. We’ve been able to get some great insights into
best practices as other users have been more than willing to share knowledge and
experiences,” observes Delozier.
Rather than relaxing in the wake of the project’s success, Sallie Mae is already planning
the next phase by exploring other RSA Archer modules and ways to incorporate
enterprise-wide solutions. Delozier concludes: “We’ve had some fantastic results with
RSA Archer so far, and are excited about what else can be achieved.”
www.emc.com/rsa
©2012 EMC Corporation. All rights reserved. EMC, the EMC logo, RSA, the RSA logo, and Archer are the property
of EMC Corporation in the United States and/or other countries. All other trademarks referenced are the property
of their respective owners. SALLIEMAE CP